Blog >> Foxit Reader

Investigating Foxit Reader

17/09/2021 Friday

Foxit Reader is a PDF document reader and viewer software similar to Adobe Acrobat Reader, which provides PDF document management solutions. It enables the user to view, edit, comment, sign, print, share, and export PDF files for free with annotations and online storage. Unlike Adobe Acrobat Reader, the software offers a variety of other features such as encryption, merge/append, and watermarking. In addition to its rich feature set, Foxit Reader is also distinguished for its speed and smaller file sizes. The software is available on desktop (Windows, macOS and Linux) and mobile (Android and iOS).


Digital Forensics Value of Foxit Reader Artifacts


Foxit Reader is one of the most popular PDF document management tools. According to its official website, Foxit Reader has more than 560 Million users and has sold the software to over 100,000 customers over 200 countries. Due to its widespread adoption, Foxit Reader artifacts can provide examiners with substantial information that will support digital forensic investigations. Foxit Reader artifacts retain information like last accessed files, usage duration, file path, and page numbers. In addition, it contains multiple important timestamps such as the date/time when the software was last started/ended.


Location of Foxit Reader Artifacts


Foxit Reader artifacts are located in the NTUSER.dat registry hive at the following locations:

NTUSER.DAT\Software\Foxit Software\Foxit Reader<version>\plugins\Updater\
NTUSER.DAT\Software\Foxit Software\Foxit Reader<version>\CollectionInfo
NTUSER.DAT\Software\Foxit Software\Foxit Reader<version>\CommentPanel\Filter


Structure of Foxit Reader Artifacts


Foxit Reader artifacts are stored in NTUSER.DAT registry hive. The registry hive format is a binary file with a group of keys, subkeys, and values. Foxit Reader key contains multiple subkeys that store information such as recently accessed files, the location of these files, and much more.


Analyzing Foxit Reader Artifacts with ArtiFast Windows


This section will discuss how to use ArtiFast Windows to analyze Foxit Reader artifacts from Windows machines and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for investigation, at the Artifacts Parser Selection Phase, you can select Foxit Reader artifacts:




ArtiFast can analyze Foxit Reader Commented Files, General Information, Last Opened Files, Recent Files, and Recent Folders. For demonstration purposes, all the artifacts have been chosen, however, you have the option to select one or more artifacts.



Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Foxit Reader artifacts in ArtiFast software.


Foxit Reader Commented Files Artifact

This artifact contains information related to Foxit Reader commented files. The details you can view include:


Foxit Reader General Information Artifact

This artifact contains general information about the software on a Windows device. The details you can view include:


Foxit Reader Last Opened Files Artifact

This artifact contains information about the last opened files. The details you can view include:

  • File Path - Last opened file path.
  • Page Number - Page number.
  • Last Write Date/Time - File entry last write date/time.


Foxit Reader Recent Files Artifacts

This artifact contains information about the recent files. The details you can view include:

  • File Path - Most recently used file path.


Foxit Reader Recent Folders Artifacts

This artifact contains information about the recent folders. The details you can view include:

  • Folder Path - Recent folder path.